* Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
- Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788 - Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 - Xorg now writes content in users homedir.
This commit is contained in:
Lukas Vrabec
parent
4c61782def
commit
64f8164852
Binary file not shown.
@ -29116,16 +29116,17 @@ index cc877c7..b8e6e98 100644
|
||||
+ xserver_rw_xdm_pipes(ssh_agent_type)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index 8274418..53f66a4 100644
|
||||
index 8274418..5f31270 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,38 @@
|
||||
@@ -2,13 +2,39 @@
|
||||
# HOME_DIR
|
||||
#
|
||||
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||
+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
|
||||
+HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
|
||||
+HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
|
||||
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
|
||||
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
|
||||
@ -29158,7 +29159,7 @@ index 8274418..53f66a4 100644
|
||||
|
||||
#
|
||||
# /dev
|
||||
@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
|
||||
@ -29181,7 +29182,7 @@ index 8274418..53f66a4 100644
|
||||
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
|
||||
@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
# /tmp
|
||||
#
|
||||
|
||||
@ -29223,7 +29224,7 @@ index 8274418..53f66a4 100644
|
||||
|
||||
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
@@ -91,19 +133,34 @@ ifndef(`distro_debian',`
|
||||
@@ -91,19 +134,34 @@ ifndef(`distro_debian',`
|
||||
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
@ -29262,7 +29263,7 @@ index 8274418..53f66a4 100644
|
||||
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
@@ -111,7 +168,18 @@ ifndef(`distro_debian',`
|
||||
@@ -111,7 +169,18 @@ ifndef(`distro_debian',`
|
||||
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
@ -31042,7 +31043,7 @@ index 6bf0ecc..e6be63a 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..436b1e0 100644
|
||||
index 8b40377..fe6657c 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,66 @@ gen_require(`
|
||||
@ -32099,7 +32100,7 @@ index 8b40377..436b1e0 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -32118,6 +32119,11 @@ index 8b40377..436b1e0 100644
|
||||
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
||||
logging_log_filetrans(xserver_t, xserver_log_t, file)
|
||||
+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
|
||||
+
|
||||
+manage_dirs_pattern(xserver_t, xdm_home_t, xdm_home_t)
|
||||
+manage_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
|
||||
+manage_lnk_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
|
||||
+gnome_data_filetrans(xserver_t, xdm_home_t, dir, "xorg")
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@ -32136,7 +32142,7 @@ index 8b40377..436b1e0 100644
|
||||
corenet_all_recvfrom_netlabel(xserver_t)
|
||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||
@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -32168,7 +32174,7 @@ index 8b40377..436b1e0 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t)
|
||||
@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
|
||||
@ -32183,7 +32189,7 @@ index 8b40377..436b1e0 100644
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
@@ -718,20 +1228,18 @@ init_getpgid(xserver_t)
|
||||
@@ -718,20 +1233,18 @@ init_getpgid(xserver_t)
|
||||
term_setattr_unallocated_ttys(xserver_t)
|
||||
term_use_unallocated_ttys(xserver_t)
|
||||
|
||||
@ -32207,7 +32213,7 @@ index 8b40377..436b1e0 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
userdom_read_user_tmp_files(xserver_t)
|
||||
userdom_rw_user_tmpfs_files(xserver_t)
|
||||
|
||||
@ -32216,7 +32222,7 @@ index 8b40377..436b1e0 100644
|
||||
ifndef(`distro_redhat',`
|
||||
allow xserver_t self:process { execmem execheap execstack };
|
||||
domain_mmap_low_uncond(xserver_t)
|
||||
@@ -785,17 +1291,54 @@ optional_policy(`
|
||||
@@ -785,17 +1296,54 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -32273,7 +32279,7 @@ index 8b40377..436b1e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -803,6 +1346,10 @@ optional_policy(`
|
||||
@@ -803,6 +1351,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -32284,7 +32290,7 @@ index 8b40377..436b1e0 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -32309,7 +32315,7 @@ index 8b40377..436b1e0 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -842,26 +1388,21 @@ init_use_fds(xserver_t)
|
||||
@@ -842,26 +1393,21 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -32344,7 +32350,7 @@ index 8b40377..436b1e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -32353,7 +32359,7 @@ index 8b40377..436b1e0 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -32385,7 +32391,7 @@ index 8b40377..436b1e0 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
|
||||
@ -49519,7 +49519,7 @@ index b1ac8b5..24782b3 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/modemmanager.te b/modemmanager.te
|
||||
index d15eb5b..6e2a403 100644
|
||||
index d15eb5b..7f3c31d 100644
|
||||
--- a/modemmanager.te
|
||||
+++ b/modemmanager.te
|
||||
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
|
||||
@ -49561,6 +49561,14 @@ index d15eb5b..6e2a403 100644
|
||||
|
||||
logging_send_syslog_msg(modemmanager_t)
|
||||
|
||||
@@ -56,3 +63,7 @@ optional_policy(`
|
||||
udev_read_db(modemmanager_t)
|
||||
udev_manage_pid_files(modemmanager_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_dbus_chat_logind(modemmanager_t)
|
||||
+')
|
||||
diff --git a/mojomojo.fc b/mojomojo.fc
|
||||
index 7b827ca..5ee8a0f 100644
|
||||
--- a/mojomojo.fc
|
||||
@ -107581,7 +107589,7 @@ index 61c2e07..3b86095 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/tor.te b/tor.te
|
||||
index 5ceacde..40e9303 100644
|
||||
index 5ceacde..9353adb 100644
|
||||
--- a/tor.te
|
||||
+++ b/tor.te
|
||||
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
|
||||
@ -107608,7 +107616,16 @@ index 5ceacde..40e9303 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
|
||||
@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
|
||||
allow tor_t tor_etc_t:file read_file_perms;
|
||||
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
+dontaudit tor_t self:capability { net_admin };
|
||||
+
|
||||
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
|
||||
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
|
||||
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
|
||||
@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
|
||||
corenet_udp_sendrecv_generic_node(tor_t)
|
||||
corenet_tcp_bind_generic_node(tor_t)
|
||||
corenet_udp_bind_generic_node(tor_t)
|
||||
@ -107616,7 +107633,7 @@ index 5ceacde..40e9303 100644
|
||||
corenet_sendrecv_dns_server_packets(tor_t)
|
||||
corenet_udp_bind_dns_port(tor_t)
|
||||
corenet_udp_sendrecv_dns_port(tor_t)
|
||||
@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
|
||||
@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
|
||||
corenet_sendrecv_tor_server_packets(tor_t)
|
||||
corenet_tcp_bind_tor_port(tor_t)
|
||||
corenet_tcp_sendrecv_tor_port(tor_t)
|
||||
@ -107624,7 +107641,7 @@ index 5ceacde..40e9303 100644
|
||||
|
||||
corenet_sendrecv_all_client_packets(tor_t)
|
||||
corenet_tcp_connect_all_ports(tor_t)
|
||||
@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
|
||||
@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
|
||||
domain_use_interactive_fds(tor_t)
|
||||
|
||||
files_read_etc_runtime_files(tor_t)
|
||||
@ -116833,7 +116850,7 @@ index 0928c5d..d270a72 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
|
||||
diff --git a/xguest.te b/xguest.te
|
||||
index a64aad3..fe078eb 100644
|
||||
index a64aad3..d923154 100644
|
||||
--- a/xguest.te
|
||||
+++ b/xguest.te
|
||||
@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
|
||||
@ -116902,7 +116919,7 @@ index a64aad3..fe078eb 100644
|
||||
storage_raw_read_removable_device(xguest_t)
|
||||
storage_raw_write_removable_device(xguest_t)
|
||||
',`
|
||||
@@ -54,9 +55,22 @@ ifndef(`enable_mls',`
|
||||
@@ -54,9 +55,25 @@ ifndef(`enable_mls',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -116913,6 +116930,9 @@ index a64aad3..fe078eb 100644
|
||||
+kernel_dontaudit_request_load_module(xguest_t)
|
||||
+kernel_read_software_raid_state(xguest_t)
|
||||
+
|
||||
+#GDM runs the X server as the unprivileged user.
|
||||
+dev_rw_input_dev(xguest_t)
|
||||
+
|
||||
+tunable_policy(`selinuxuser_execstack',`
|
||||
+ allow xguest_t self:process execstack;
|
||||
+')
|
||||
@ -116926,7 +116946,7 @@ index a64aad3..fe078eb 100644
|
||||
files_dontaudit_getattr_boot_dirs(xguest_t)
|
||||
files_search_mnt(xguest_t)
|
||||
|
||||
@@ -65,10 +79,9 @@ optional_policy(`
|
||||
@@ -65,10 +82,9 @@ optional_policy(`
|
||||
fs_manage_noxattr_fs_dirs(xguest_t)
|
||||
fs_getattr_noxattr_fs(xguest_t)
|
||||
fs_read_noxattr_fs_symlinks(xguest_t)
|
||||
@ -116938,7 +116958,7 @@ index a64aad3..fe078eb 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -84,12 +97,25 @@ optional_policy(`
|
||||
@@ -84,12 +100,25 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -116950,23 +116970,23 @@ index a64aad3..fe078eb 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ colord_dbus_chat(xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- gnomeclock_dontaudit_dbus_chat(xguest_t)
|
||||
+ chrome_role(xguest_r, xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ thumb_role(xguest_r, xguest_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- gnomeclock_dontaudit_dbus_chat(xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_dontaudit_chat_system_bus(xguest_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -97,75 +123,78 @@ optional_policy(`
|
||||
@@ -97,75 +126,78 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 182%{?dist}
|
||||
Release: 183%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -653,6 +653,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
|
||||
- Allow modemmanager to talk to logind
|
||||
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
|
||||
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
|
||||
- Xorg now writes content in users homedir.
|
||||
|
||||
* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
|
||||
- rename several contrib modules according to their filenames
|
||||
- Add interface gnome_filetrans_cert_home_content()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user